State of the CSO 2010: Progress and peril

From the US CSO bureau:
Security is very old in most respects, yet very young in others. As a corporate discipline, security unfortunately languished for years in the basement.

Today, as organizations come to grips with a wide swath of risks, the 2010 State of the CSO survey shows those organizations are rapidly adopting more sophisticated view of security. Of course, there's more work to be done--most prominently in the areas of security metrics and awareness programs.

Let's look at the numbers.

(You can also find State of the CSO survey results from 2009 and 2008.)

1. How well does each statement describe your organization? (Percent who agree or strongly agree with each statement.)

2004

2010

Senior management has established a security policy and auditing process

23%

81%

Senior management views the security leader's role as strategic and permanent

17%

72%

Security is viewed as essential to business as opposed to an overhead cost

25%

66%

Security considerations are a routine part of your company's business processes

28%

63%

All employees receive training in all security policies

38%

78%

All employees know the sanctions and consequences of a security policy breach

42%

63%

All managers in the organization understand their roles and responsibilities in regards to security

45%

44%

All employees consider security to be part of their everyday responsibilities

38%

40%

Take a moment to reflect on the enormous progress reflected in the chart above.

Six years ago, respondents reported a generally low regard for security risk management within their companies. Policies were not defined. Security leaders were sidelined. Training was minimal.

Today's scenario is different on almost every score; 2010 respondents indicate that security programs are well established in most companies, including policies, personnel and training.

Other than Internet marketing, has any other corporate discipline enjoyed such a rapid and widespread rise in credibility during the same decade? At the risk of falling into a cheerleader role, this is worth noting and celebrating. Current events have clearly been a huge driving factor, but today's security leaders still deserve a pat on the back for helping craft the right organizational response to today's threats.

These 2010 numbers aren't a fluke. Progress in each area has been steadily upward over the years.

Having said that, those upward trends highlight the lack of progress in the bottom two issues. (See next chart for more detail.)

***

2. How well does each statement describe your organization? (Percent who agree or strongly agree with each statement. A breakout of 2010 data from chart 1 above, by company size)

At big companies

At small companies

All managers in the organization understand their roles and responsibilities in regards to security

39%

53%

All employees consider security to be part of their everyday responsibilities

33%

44%

This chart digs into a bit more detail on the two lagging issues noted in the first chart. In most awareness issues, big companies tend to score better than small companies. In these two, however--where overall progress is lacking--smaller companies actually report higher scores than their larger brethren.

We first noted this gap last year, and it persists this year. In last year's survey write-up, we wondered whether this indicates that larger companies are overly reliant on process. A bigger organization naturally tends more toward specialization, which isn't bad, but it can lead to stovepiping, which is. Employees and managers at smaller companies may be more likely to think of their job descriptions as ending with, "and other duties as necessary."

That may be true. But presented with this data, one CSO offers a simple and clear explanation: "I would suggest this is all down to security management failing to communicate adequately with their audience," says Brian Connor, CSO of Genpact, based in Gurgaon, India.

So what to do about it? Jason Richards, CISO for the Virginia Community College System, prescribes better-tailored awareness programs. This means exercises and examples using the specific data or assets the trainees handle every day. That's more work than creating a one-size-fits-all newsletter and poster set.

On the other hand, the data suggests that the blanket approach simply isn't very effective.

***

3. Which of the following methods and calculations do you apply in the security budgeting process?

2008

2010

Return on Investment

46%

34%

Total Cost of Ownership

39%

32%

Annual Loss Expectancy

14%

13%

Net Present Value

N/A

10%

Economic Value Added

16%

9%

No formal methodology

42%

51%

(Respondents could select multiple answers.)

It's easy to look at this chart, indicating a slow retrenchment in the use of specific common financial methodologies, and say this is another area where progress is not being made.

These methodologies are the standard language of business. However, they are notoriously difficult to apply to security with any confidence. For example, annual loss expectancies (a key data point in many calculations) derived from one industry may look fishy to companies in another industry.

"I think they are difficult, though not impossible, to use in the security area. People may start using them, but then find them cumbersome" and give up on them, says Richards.

So we'll stop short of calling a drop in economic value added (EVA) usage a step backward for security. However, the obstinate persistence of "no formal financial methodology" remains troubling. If those specified in the survey don't work, security as a field needs to develop credible alternatives if it wants to achieve long-term success. John Petrie, CISO at Harland Clarke Holdings, notes that while none of the methods listed here are perfect for capturing the value of security, they may be a start in piecing together the puzzle.

Calculating the value of security "encompasses much more than this type of data," Petrie wrote in an e-mail response. "It also includes revenue numbers (or loss thereof), cost for response to incidents (per-record cost), and risks--reputational or otherwise--which are not easily calculated. I think people are developing new, holistic ways to communicate the security value," Petrie says, "and using new measurements, in addition to traditional ones such as total cost of ownership (TCO), ROI, and EVA, to support the statement. As an example, deploying a data leakage protection solution is difficult to sell to leadership using just TCO or ROI," he says. But when it's combined with the ability to block employees from inadvertently sending out confidential data or intellectual property, he says, it "becomes a more powerful value statement. It becomes less of a cost discussion and more of an 'acceptable risk' discussion."

Setting aside the long-term picture for a moment, what does the near future hold? For most security departments, steady resources or a modest uptick. That's not surprising, as it mirrors the general direction of the world's economy.

***

5. In the past 12 months, has your organization's leadership placed more value or less value on risk management?

More value 54%

No change 40%

Less value 6%

Respondents also say their organizations' leadership has placed more value on risk management in the past 12 months--or at least no less value. This continues the general trend of the past several years, although the percent responding "more value" was at a peak a few years back (69 percent in the 2006 survey).

***

6. Does your organization use a formal enterprise risk management process or methodology that incorporates multiple types of risk?

2009 2010

YES 46% 57%

NO 57% 43%

The rise of formal enterprise risk management (ERM) has exceeded all but the most optimistic predictions. ERM may in fact be the replacement for the languishing financial methodologies noted above.

Jeff Spivey, President of Security Risk Management, reported at the CSO Perspectives conference in April that companies with a demonstrable ERM effort can receive better credit ratings. Better credit ratings allow companies to borrow money at lower interest rates.

CSOs should not fail to seize on that fact, as it hits the corporate bottom line quite directly. At this time, developing a full-fledged ERM program and working with your colleagues to mature that program may be a higher priority than working out the details of EVA or cost-based accounting.

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited. Copyright 2013 IDG Communications.
ABN 14 001 592 650. All rights reserved.

Contact Us

With over 25 years of brand awareness and credibility, Good Gear Guide (formerly PC World Australia), consistently delivers editorial excellence through award-winning content and trusted product reviews.